• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Trend Micro OfficeScan Unauthenticated CGI Usage Vulnerability

Severity: MODERATE

Description:

Trend Micro OfficeScan is an antivirus software program which is deployable across an entire network. During the installation of the management software, the administrator is asked to choose between managing from a webserver or from a fileserver. If the webserver option is chosen, the administrator is given the capability to manage the OfficeScan network through an HTML interface. This can be accessed by requesting the authentication form which is located at http: //target/officescan/. It prompts the user for the admin password, however it is transmitted in plaintext which can be intercepted by any user on the network running a packet sniffer specifically searching for the string "TMLogon=<password>".

A larger problem exists in that any user with access to the web server is able to perform administrative functions without any sort of authorization simply by requesting specific URLs. This is accomplished by requesting certain CGI files such as jdkRqNotify.exe. A request for jdkRqNotify.exe in conjunction with a domain name on the network and an administrative event code number would allow any user on the network to perform certain administrative duties.

eg.
http://target/officescan/cgi/jdkRqNotify.exe?domain=<domain name>&event=<event code number>

Examples of event code numbers are:
11: Scan now
12: Uninstall
14: Roll back
15: New alert message
16: New intranet proxy
17: New privilege
18: New protocol
19: New password
20: New client

These OfficeScan vulnerabilities only exist on a Microsoft NT Server machine running Microsoft IIS. OfficeScan running on Novell Netware servers are not vulnerable.

Affected Products:

• Trend Micro OfficeScan Corporate Edition for Windows NT Server 3.0.0
• Trend Micro OfficeScan Corporate Edition for Windows NT Server 3.11.0
• Trend Micro OfficeScan Corporate Edition for Windows NT Server 3.13.0
• Trend Micro OfficeScan Corporate Edition for Windows NT Server 3.5.0
• Trend Micro OfficeScan For Microsoft SBS 4.5.0

References:

• Trend Micro: Frequently Asked Questions: OfficeScan Unauthenticated CGI Usage Vulnerability
• Trend Micro: Patch Availability: OfficeScan Unauthenticated CGI Usage Vulnerability
• Trend Micro: Trend Micro OfficeScan Product Homepage
• Trend Micro: Trend Security Bulletin - OfficeScan Unauthenticated CGI Usage Vulnerability

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.